• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 449
  • Last Modified:

ipv6 ipsec & icmpv6

I read this paragraph concerning icmpv6 and ipsec (see attached). Can the experts elaborate on this? Thx

icmpv6 and ipsec
4 Solutions
btanExec ConsultantCommented:
I simply see that IPv6 support of IPSec is mandatory, but the use is not. However, the "myth" that IPv6 packet even including ICMPv6 can be riding onto the IPSec tunnel is supposed to be saved since FW will allow IPSec, malware ride on the fact of this and tunnel in IPSec tunnel and bypass FW checks (they can see the IPv6 payload. However, for IPv4 ICMP does not has such mandatory and by default, IPv4 ICMP is drop by FW as they can be of malicious intent and even use as ICMP flooding DoS...but it make no different if ICMPv4 tunnel through IPSec which FW is allowed...IN short this is not really sound statement to say "Why use IPv6"

Below are more info for reading in Cisco and NTIA ref

In the IPv6 project many new technologies, that did not exist at the time in IPv4, was developed – like IPsec. IPsec is a technology for setting up secure tunnels between hosts or networks. Like many other new things invented for IPv6, IPsec was ported to IPv4 and has been around for many years. At the time where IPv6 and IPsec was invented, there may have been reasons to claim that IPv6 could be more secure than IPv4 (which did not have any secure VPNs). Today, that claim is no longer valid. There are no differences between IPv4 and IPv6 in terms of security. Yes, more IPv6 stacks will have built in support for IPsec, which is a good thing. But that doesn’t make the protocol by itself more secure.

From the beginning, the IPv6 standard has mandated support for IPSec. Many people have falsely translated that to mean an increase in security for IPv6 networks (even though IPSec only deals with authentication, integrity and confidentiality of connections).

IPSec by itself can not stop all attacks against the IPv6 protocol, such as application-level attacks. Although IPsec support is mandatory in IPv6, IPsec use is not. In fact, many current IPv6 implementations do not include IPsec. It can’t even be realistically used for all connections. E.g. Many necessary ICMP messages utilize multicast. Utilizing IPSec for these multicast messages is not feasible. Key management for supporting IPSec for each and every connection on an Internet-wide scale for IPv6 is also definitely not trivial.

Therefore, the utilization of IPSec in IPv6 networks will not dramatically increase beyond the levels currently used for IPv4 networks for some time to come. So in reality, both IPv4 and IPv6 have associated security issues (not necessarily the same), but neither protocol is really more secure than the other.
I guess what it means is: in some implementations of IPv6-- support of IPsec is manadatory. But it is not necessary to enable IPsec even though it's supported. In that sense, if you enable ipsec then icmpv6 would travel through IPsec.......

e.g in some linux distro, roll out of ipv6 would require you to support IPsec but you can live without enabling it........
IPV6 was designed wth IPSEC in mind, in fact IPSEC was developed in the IPV6 development groups and then was integrated into IPV4 later. My point is that IPV6 is a mandatory part of the IPV6 design. So, it is up to the user/application to use IPV6 IPSEC or not.

So, IPV6 IPSEC can be utilized at the network layer e.g. VPNs etc ... or an application can use the inherent IPV6 IPSEC framework to secure a flow from an application perspective.

IPV6 IPSEC is part of the header, its not a bolt on like IPV4. Because it is integrated we can now protect more parts of the IPV6 packet in transit.

harbor235 ;}
nociSoftware EngineerCommented:
Some icmp packets for IPv4 as well as IPv6 should be viewed carefully.
ping is not one of them. The ones that do matter concern (re)routing  and those occur in both versions of ICMP
Also security can be disputed. The IPv4 stacks have weathered the various attacks.
IPv6 stacks are fresh to the world at large, so expect some faults in implementation to surface during the coming years.

Here is a site which presents a lot of info about security w.r.t. IPv6
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now